Squaring the Constitutional Circle with CSIS Datasets

Cyber+Image+2.jpg

Apr 27 2019

By Craig Forcese and Leah West

Bill C-59 creates a new “dataset” collection, retention and use system for the Canadian Security Intelligence Service (CSIS). It is a complicated system, responding to a series of hard policy dilemmas. This post does not describe the full workings of the system or its policy genesis. (See, however, Leah West’s Lawfare summary.) Rather, it focuses on a point of controversy: the concept of “publicly-available datasets.”

Basic Policy Dilemma

Under its security intelligence (section 12) mandate, CSIS shall “collect, by investigation or otherwise, to the extent that it is strictly necessary, and analyse and retain information and intelligence respecting activities that may on reasonable grounds be suspected of constituting threats to the security of Canada.” “Strictly necessary” applies to both collection and retention. It means that CSIS may keep what it needs so long as the information is threat-related. It may not keep (and by extension) analyze information not already, or no longer, tied to “threats to the security of Canada.” Without the ability to ingest data not directly linked to a specific threat investigation, CSIS is largely unable to perform data analytics to detect unknown threats. Analogizing to fishing:  CSIS may fish for new fish, but only in a pond made up of fish it has already caught.

Basic Dataset Workings

Bill C-59 aims to correct this problem. However, in doing so, it must reconcile obvious privacy issues raised by CSIS ingesting and analyzing data which may or may not reveal threats. Simply removing “strictly necessary” from section 12 would ignore inevitable Charter issues; namely the question of whether the Charter’s search and seizure protections in section 8 are triggered when the state pools otherwise innocuous pieces of information to create a mosaic that may reveal deeply personal beliefs, tendencies, habits or conduct. Compiling such a mosaic may very well create unique “reasonable expectations of privacy” (REP) different from that triggered by the collection of each little bit of information.

C-59 creates, therefore, a more complex system. It defines datasets as “a collection of information stored as an electronic record and characterized by a common subject matter.” The proposed law only governs dataset collection if a dataset contains personal information—defined in section 3 of the Privacy Act, as information about an identifiable individual—and does not directly and immediately relate to activities that represent a threat to the security of Canada. (Remember, CSIS may already collect and retain threat information as part of the existing section 12 mandate).

Datasets are divided by content into three categories (which we call “buckets”): publicly-available, Canadian, or foreign. A Canadian dataset is one that predominantly relates to Canadians or persons within Canada, while a foreign dataset predominantly relates to non-Canadians outside Canada. There are checks and balances superimposed on the Canadian and Foreign datasets, the net effect of which is

  1. the initial collection is authorized by “a reasonable law applied reasonably”, thus permitting warrantless collection of information in which a person may have an REP without violating s. 8 of the Charter;

  2. the Federal Court (for Canadian datasets) or the new Intelligence Commissioner (for foreign datasets) must approve the retention of datasets and may place constraints on its use before CSIS can search or exploit the data, thereby creating (at least general) judicial pre-authorization for activities that may intrude on REP; and

  3. the actual use of the collected data, meaning the search within the data pool, is governed by a reasonable law applied reasonably, again permitting warrantless searches that may reveal information in which a person may have an REP without violating s. 8 of the Charter.

The bill does not set out the same checks and balances for data in the publicly available bucket; the premise for this seemingly being that if data is publicly available, it isn’t private and thus not protected from collection by s. 8 of the Charter.

The Fly in the Ointment

In sum, the C-59 dataset system constitutes a quid pro quo: the bill loosens CSIS’s traditional constraints to the extent that it may consume a broader ocean of data. But retention of this data (at least for Canadian datasets) requires judicial supervision. This system recognizes that privacy interests extend beyond the point of collection and include retention and use. In so doing, the proposed system short circuits inevitable Charter section 8 issues; specifically, questions noted above about whether section 8 attaches to data analytics.

Still, it matters into which of the three “buckets” information is placed. Some information may be publicly-available but still raise considerable privacy implications (e.g., hacked private information dumped on the internet). And yet, the publicly-available dataset regime has none of the checks and balances that place the Canadian and foreign dataset systems on a plausible constitutional foundation. (If, for example, the data collected was the stolen Ashley Madison customer information, the publicly-available dataset system may be difficult to defend as “a reasonable law applied reasonably”, and it has no judicial authorization component, general or otherwise.)

CSIS has indicated before Parliament that it will not treat hacked information as publicly-available (even though not all hacked information will necessarily invoke an REP.) This is, however, a policy decision, not one required by law. Should CSIS subsequently adopt an underinclusive policy that steers information in which a Canadian still has an REP into the “publicly available” bucket, the constitutionality of this practice would be suspect.

Possible solutions

One solution would be to amend Bill C-59 to define “publicly available” as excluding “information in which a Canadian or person in Canada retains a reasonable expectation of privacy.” This would have the effect of steering such information into the “Canadian dataset” bucket, with its more constitutionally-robust oversight system. It remains to be seen whether the Senate will propose such an amendment.

Still, the existence (or not) of a statutory signal of this sort ultimately does not change the rules for CSIS. Either way, if CSIS fails to filter, and instead runs REP information through a publicly-available dataset regime with virtually no checks and balances, it seems likely it will encounter serious constitutional problems.

The larger dilemma here is this: exactly what information raises REP when the reason you are collecting it is to combine it with other information in the hopes of revealing something private? This question is notoriously tricky. Too embracing a standard, and CSIS would need to run the phone book through the Canadian dataset regime. Moreover, collecting bits of seemingly innocuous personal information to reveal something the target of investigation would like to keep private is necessarily the point of every intelligence and criminal investigation. Making the dataset system work will depend, therefore, on careful policy development and reasonable assessments of what information raises REP.

At the very least, therefore, we suggest that the Minister of Public Safety issue a ministerial direction determining what classes of information may properly be considered publicly-available and triaging those where there are plausible REP arguments. That triage could steer all REP information into the Canadian dataset regime. Or, at a minimum, it should involve a procedure established by law (in the form of the ministerial direction) with safeguards more robust than the current publicly-available dataset system. Padding the latter with a thoughtful ministerial direction at least would create a foundation for a “reasonable law, applied reasonably” argument, should CSIS face a section 8 objection.